Results 11 - 20
of
93
A monadic analysis of information flow security with mutable state
- Journal of Functional Programming
, 2003
"... We explore the logical underpinnings of higher-order, security-typed languages with mutable state. Our analysis is based on a logic of information flow derived from lax logic and the monadic metalanguage. Thus, our logic deals with mutation explicitly, with impurity reflected in the types, in contra ..."
Abstract
-
Cited by 32 (1 self)
- Add to MetaCart
We explore the logical underpinnings of higher-order, security-typed languages with mutable state. Our analysis is based on a logic of information flow derived from lax logic and the monadic metalanguage. Thus, our logic deals with mutation explicitly, with impurity reflected in the types, in contrast to most higher-order security-typed languages, which deal with mutation implicitly via side-effects. More importantly, we also take a store-oriented view of security, wherein security levels are associated with elements of the mutable store. This view matches closely with the operational semantics of low-level imperative languages where information flow is expressed by operations on the store. An interesting feature of our analysis lies in its treatment of upcalls (low-security computations that include high-security ones), employing an “informativeness ” judgment indicating under what circumstances a type carries useful information. 1
Security types preserving compilation
- In Proc. 5th International Conference on Verification, Model Checking and Abstract Interpretation, volume 2937 of LNCS
, 2004
"... Starting from the seminal work of Volpano and Smith, there has been growing evidence that type systems may be used to enforce condentiality of programs through non-interference. However, most type systems operate on high-level languages and calculi, and \low-level lan-guages have not received much a ..."
Abstract
-
Cited by 31 (3 self)
- Add to MetaCart
Starting from the seminal work of Volpano and Smith, there has been growing evidence that type systems may be used to enforce condentiality of programs through non-interference. However, most type systems operate on high-level languages and calculi, and \low-level lan-guages have not received much attention in studies of secure information
ow " (Sabelfeld and Myers, [1]). Therefore, we introduce an information
ow type system for a low-level language featuring jumps and calls, and show that the type system enforces termination-insensitive non-interference. Furthermore, information
ow type systems for low-level languages should appropriately relate to their counterparts for high-level languages. Therefore, we introduce a compiler from a high-level imperative programming language to our low-level language, and show that the compiler preserves information
ow types.
A Type System for Robust Declassification
, 2003
"... Language-based approaches to information security have led to the development of security type systems that permit the programmer to describe confidentiality policies on data. Security type systems are usually intended to enforce noninterference, a property that requires that high-security informati ..."
Abstract
-
Cited by 30 (5 self)
- Add to MetaCart
Language-based approaches to information security have led to the development of security type systems that permit the programmer to describe confidentiality policies on data. Security type systems are usually intended to enforce noninterference, a property that requires that high-security information not affect low-security computation. However, in practice, noninterference is often too restrictive -- the desired policy does permit some information leakage. To compensate for the strictness...
Sequentiality and the π-Calculus
, 2001
"... We present a simple type discipline for the π-calculus which precisely captures the notion of sequential functional computation as a specific class of name passing interactive behaviour. The typed calculus allows direct interpretation of both call-by-name and call-by-value sequential functions. T ..."
Abstract
-
Cited by 29 (17 self)
- Add to MetaCart
We present a simple type discipline for the π-calculus which precisely captures the notion of sequential functional computation as a specific class of name passing interactive behaviour. The typed calculus allows direct interpretation of both call-by-name and call-by-value sequential functions. The precision of the representation is demonstrated by way of a fully abstract encoding of PCF.
Linearity and bisimulation
- In FoSSaCs'02 (2002
, 2002
"... Abstract. Exploiting linear type structure, we introduce a new theory of weak bisimilarity for the π-calculus in which we abstract away not only τ-actions but also non-τ actions which do not affect well-typed observers. This gives a congruence far larger than the standard bisimilarity while retainin ..."
Abstract
-
Cited by 27 (7 self)
- Add to MetaCart
Abstract. Exploiting linear type structure, we introduce a new theory of weak bisimilarity for the π-calculus in which we abstract away not only τ-actions but also non-τ actions which do not affect well-typed observers. This gives a congruence far larger than the standard bisimilarity while retaining semantic soundness. The framework is smoothly extendible to other settings involving nondeterminism and state. As an application we develop a behavioural theory of secrecy in the π-calculus which ensures secure information flow for a strictly greater set of processes than the type-based approach in [20, 23], while still offering compositional verification techniques. 1
Closing internal timing channels by transformation
- IN PROCEEDINGS OF THE 11TH ANNUAL ASIAN COMPUTING SCIENCE CONFERENCE, LNCS
, 2007
"... A major difficulty for tracking information flow in multithreaded programs is due to the internal timing covert channel. Information is leaked via this channel when secrets affect the timing behavior of a thread, which, via the scheduler, affects the interleaving of assignments to public variables. ..."
Abstract
-
Cited by 26 (6 self)
- Add to MetaCart
(Show Context)
A major difficulty for tracking information flow in multithreaded programs is due to the internal timing covert channel. Information is leaked via this channel when secrets affect the timing behavior of a thread, which, via the scheduler, affects the interleaving of assignments to public variables. This channel is particularly dangerous because, in contrast to external timing, the attacker does not need to observe the actual execution time. This paper presents a compositional transformation that closes the internal timing channel for multithreaded programs (or rejects the program if there are symptoms of other flows). The transformation is based on spawning dedicated threads, whenever computation may affect secrets, and carefully synchronizing them. The target language features semaphores, which have not been previously considered in the context of termination-insensitive security.
Bridging language-based and process calculi security
- In Proc. of Foundations of Software Science and Computation Structures (FOSSACS’05), volume 3441 of LNCS
, 2005
"... Abstract. Language-based and process calculi-based information security are well developed fields of computer security. Although these fields have much in common, it is somewhat surprising that the literature lacks a comprehensive account of a formal link between the two disciplines. This paper deve ..."
Abstract
-
Cited by 25 (4 self)
- Add to MetaCart
(Show Context)
Abstract. Language-based and process calculi-based information security are well developed fields of computer security. Although these fields have much in common, it is somewhat surprising that the literature lacks a comprehensive account of a formal link between the two disciplines. This paper develops such a link between a language-based specification of security and a process-algebraic framework for security properties. Encoding imperative programs into a CCSlike process calculus, we show that timing-sensitive security for these programs exactly corresponds to the well understood process-algebraic security property of persistent bisimulation-based nondeducibility on compositions ( § ¨�©��� �). This rigorous connection opens up possibilities for cross-fertilization, leading to both flexible policies when specifying the security of heterogeneous systems and to a synergy of techniques for enforcing security specifications. 1
Securing timeout instructions in web applications
- In Proc. IEEE Computer Security Foundations Symposium
, 2009
"... Timeout mechanisms are a useful feature for web applications. However, these mechanisms need to be used with care because, if used as-is, they are vulnerable to timing attacks. This paper focuses on internal timing attacks, a particularly dangerous class of timing attacks, where the attacker needs n ..."
Abstract
-
Cited by 23 (13 self)
- Add to MetaCart
(Show Context)
Timeout mechanisms are a useful feature for web applications. However, these mechanisms need to be used with care because, if used as-is, they are vulnerable to timing attacks. This paper focuses on internal timing attacks, a particularly dangerous class of timing attacks, where the attacker needs no access to a clock. In the context of client-side web application security, we present JavaScript-based exploits against the timeout mechanism of the DOM (document object model), supported by the modern browsers. Our experimental findings reveal rather liberal choices for the timeout semantics by different browsers and motivate the need for a general security solution. We propose a foundation for such a solution in the form of a runtime monitor. We illustrate for a simple language that, while being more permissive than a typical static analysis, the monitor enforces termination-insensitive noninterference. 1.
Channel Dependent Types for Higher-Order Mobile Processes (Extended Abstract)
- In POPL’04
, 2004
"... Nobuko Yoshida Imperial College London ABSTRACT We introduce a new expressive theory of types for the higher-order p-calculus and demonstrate its applicability via non-trivial security analyses of a simple class-based language with distributed code mobility. The new theory significantly improves ..."
Abstract
-
Cited by 23 (6 self)
- Add to MetaCart
(Show Context)
Nobuko Yoshida Imperial College London ABSTRACT We introduce a new expressive theory of types for the higher-order p-calculus and demonstrate its applicability via non-trivial security analyses of a simple class-based language with distributed code mobility. The new theory significantly improves our previous one presented in [52] by the use of channel dependent/existential types. New dependent types control dynamic change of process accessibility via channel passing, while existential types guarantee safe scope-extrusion in higher-order process passing. This solves an open issue in [52], leading to significant enlargement of original typability. Two basic security concerns for mobile computation, secrecy for data confidentiality and access controls for authorised resources are analysed in a uniform type-based static framework, culminating in the noninterference theorem and authority-error freedom in the presence of higher-order code mobility. The generality and expressiveness of the new type discipline are tested with a sound embedding of multi-threaded class-based language with dynamic code/class distribution, enforcing secrecy and accessibility.
Typing Noninterference for Reactive Programs
"... We study the security property of noninterference for a class of synchronous programs called reactive programs. We consider a core reactive language, obtained by extending the imperative language of Volpano, Smith and Irvine with a form of scheduled parallelism and with reactive primitives that mani ..."
Abstract
-
Cited by 21 (4 self)
- Add to MetaCart
(Show Context)
We study the security property of noninterference for a class of synchronous programs called reactive programs. We consider a core reactive language, obtained by extending the imperative language of Volpano, Smith and Irvine with a form of scheduled parallelism and with reactive primitives that manipulate broadcast signals. The definition of noninterference has to be tuned to the particular nature of reactive computations, which are regulated by a notion of instant. Moreover, a new form of covert channel may arise in reactive computations, called suspension leak. We give a formulation of noninterference based on bisimulation, as is now usual for concurrent languages. We then propose a type system to enforce this property in our language. Our type system is inspired by that introduced by Boudol and Castellani, and independently by Smith, for a parallel language with scheduling. We establish the soundness of our type system with respect to our new notion of noninterference. We finally show that this notion of noninterference refines in several aspects the standard one for imperative languages.
